Locally-configured Sources #
Adding a Source configuration #
Locally-configured sources are configured in your config.yaml file under the sources field.
Example config #
concurrency: "8"
logLevel: info
notifiers:
- isEnabled: true
name: stdout secrets notifications
sendUnverified: true
type: NOTIFIER_TYPE_STDOUT
sources:
- connection:
'@type': type.googleapis.com/sources.Confluence
basicAuth:
password: XXXXXXXXXXXXXXXXXXXXXXXXXX
username: scanner-account@ourbusiness.com
endpoint: https://ourbusiness.atlassian.net/wiki
name: some Confluence data
scanInterval: 43200s
type: SOURCE_TYPE_CONFLUENCE
verify: true
trufflehogAddress: https://gnarly-flying-pancake.c1.prod.trufflehog.org
trufflehogScannerGroup: account 1 - us-west-2
trufflehogScannerToken: thog-agent-XXXXXXXXXXXXXXXXXXXXXXXXXX
Artifactory #
Artifactory with Access Token #
It is recommended to generate an access token for a user with read-only
permissions. To do so, create a new user in the JFrog Artifactory UI under
“Identity and Access.” Leave all roles unchecked and ensure the user is added
to the readers group (selected by default). Once created, navigate to
the “Access Tokens” tab and generate a token for the newly created user.
sources:
- connection:
'@type': type.googleapis.com/sources.Artifactory
accessToken: access_token
endpoint: https://example.jfrog.io
name: Artifactory repository artifacts
scanInterval: 43200s
type: SOURCE_TYPE_JFROG_ARTIFACTORY
verify: true
Artifactory with Basic Authentication #
Alternatively, basic authentication can be used.
sources:
- connection:
'@type': type.googleapis.com/sources.Artifactory
basicAuth:
password: secret
username: username
endpoint: https://example.jfrog.io
name: Artifactory repository artifacts
scanInterval: 43200s
type: SOURCE_TYPE_JFROG_ARTIFACTORY
verify: true
password may be one of:
- Access token
- Account password
- API key
BitBucket #
sources:
- connection:
'@type': type.googleapis.com/sources.Bitbucket
basicAuth:
password: XXXXXXXXXXXXXXXXXXXXXXXXXX
username: scanner-account
endpoint: https://bitbucket.ourbusiness.com
name: some BitBucket git data
scanInterval: 43200s
type: SOURCE_TYPE_BITBUCKET
verify: true
If using basic auth with an App Password, the password must have Read access for both the Account and Repositories selected.
Buildkite #
Your API Access Token must have GraphQL API access enabled along with the following REST API Scopes: Organization Access, Read Artifacts, Read Builds, Read Build Logs, and Read Pipelines.
sources:
- connection:
'@type': type.googleapis.com/sources.Buildkite
token: XXXXXXXXXXXXXXXXXXXXXXXXXX
name: Buildkite logs and artifacts
scanInterval: 43200s
type: SOURCE_TYPE_BUILDKITE
verify: true
Confluence #
Basic authentication with an email address for the username and a
Confluence cloud token
for the password must be configured using basic authentication for Confluence Cloud.
For on-premise Confluence instances, you can use a username and password with basic authentication, or you can use a personal access token (PAT) with token authentication.
Confluence with basic authentication #
sources:
- connection:
'@type': type.googleapis.com/sources.Confluence
basicAuth:
password: XXXXXXXXXXXXXXXXXXXXXXXXXX
username: scanner-account@ourbusiness.com
endpoint: https://ourbusiness.atlassian.net/wiki
name: some Confluence data
scanInterval: 43200s
type: SOURCE_TYPE_CONFLUENCE
verify: true
Confluence with personal access token (PAT) #
sources:
- connection:
'@type': type.googleapis.com/sources.Confluence
endpoint: https://ourbusiness.atlassian.net/wiki
token: XXXXXXXXXXXXXXXXXXXXXXXXXX
name: some Confluence data
scanInterval: 43200s
type: SOURCE_TYPE_CONFLUENCE
verify: true
Filesystem #
sources:
- connection:
'@type': type.googleapis.com/sources.Filesystem
directories:
- /home/me/dev
name: some filesystem data
scanInterval: 43200s
type: SOURCE_TYPE_FILESYSTEM
verify: true
File and Stdin #
Help #
$ trufflehog file --help
usage: TruffleHog file [<flags>] [<path>]
Scan a file (defaults to standard in)
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
-v, --debug Enable debug mode.
--trace Enable tracing of code line numbers.
--json Enable JSON output.
--send-error-telemetry Turns error telemetry off.
--quiet Only show results.
Args:
[<path>] Path of the file to scan
Example #
You will need to obtain credentials to run this. You can get them by creating a scanner group (on your isolated instance go to settings -> scanners) and downloading the config.
Tip: run with --no-update if doing frequent invocations to cut down on startup time by ignoring updates
# 3 different ways you can invoke stdin and file scanner
./trufflehog file --config config.yaml --json /etc/passwd
cat /etc/password | ./trufflehog file --config config.yaml --json
./trufflehog file --config config.yaml --json < /etc/password
When using Docker, you must include the --interactive or -i flag (but not -t or --tty) for Docker to past the stdin to TruffleHog:
docker run --net=host --restart=unless-stopped -v $(pwd)/config.yaml:/tmp/config.yaml -i us-docker.pkg.dev/thog-artifacts/public/scanner:latest file --config=/tmp/config.yaml
Gerrit #
If you omit providing projects then all code projects that the credential can list and access will be scanned.
sources:
- connection:
'@type': type.googleapis.com/sources.Gerrit
basicAuth:
password: XXXXXXXXXXXXXXXXXXXXXXXXXX
username: scanner-account
endpoint: https://gerrit.example.com
name: Gerrit
scanInterval: 43200s
type: SOURCE_TYPE_GERRIT
verify: true
Git #
The Git source expects a list repository URIs and/or a list of local directories with repositories to scan.
Unauthenticated #
sources:
- connection:
'@type': type.googleapis.com/sources.Git
directories:
- /home/me/dev/vscode
repositories:
- https://github.com/dustin-decker/secretsandstuff.git
unauthenticated: {}
name: some unauthenticated Git data
scanInterval: 43200s
type: SOURCE_TYPE_GIT
verify: true
Basic Auth #
sources:
- connection:
'@type': type.googleapis.com/sources.Git
basicAuth:
password: clonePassword
username: cloneUser
repositories:
- https://github.com/dustin-decker/secretsandstuff.git
name: some basic auth Git data
scanInterval: 43200s
type: SOURCE_TYPE_GIT
verify: true
SSH Auth #
sources:
- connection:
'@type': type.googleapis.com/sources.Git
repositories:
- ssh://github.com/dustin-decker/secretsandstuff.git
sshAuth: {}
name: some SSH auth Git data
scanInterval: 43200s
type: SOURCE_TYPE_GIT
verify: true
GitHub #
Personal Access Tokens should be created with the followwing scopes: repo, gist, and read:org
sources:
- connection:
'@type': type.googleapis.com/sources.GitHub
endpoint: https://github.ourbusiness.com
includeForks: true
scanUsers: true
token: XXXXXXXXXXXXXXXXXXXXXXXXXX
name: some GitHub data
scanInterval: 43200s
type: SOURCE_TYPE_GITHUB
verify: true
GitLab #
Token Auth #
The GitLab token should be created with the read_api scope.
sources:
- connection:
'@type': type.googleapis.com/sources.GitLab
endpoint: https://gitlab.ourbusiness.com
token: XXXXXXXXXXXXXXXXXXXXXXXXXX
name: some GitLab data
scanInterval: 43200s
type: SOURCE_TYPE_GITLAB
verify: true
Basic Auth #
sources:
- connection:
'@type': type.googleapis.com/sources.GitLab
basicAuth:
password: t0ken
username: svc-user
endpoint: https://gitlab.ourbusiness.com
name: some GitLab data
scanInterval: 43200s
type: SOURCE_TYPE_GITLAB
verify: true
Jenkins #
sources:
- connection:
'@type': type.googleapis.com/sources.Jenkins
basicAuth:
password: XXXXXXXXXXXXXXXXXXXXXXXXXX
username: scanner-account
endpoint: https://jenkins.example.com
name: Jenkins logs and artifacts
scanInterval: 43200s
type: SOURCE_TYPE_JENKINS
verify: true
JIRA #
Basic authentication with an email address for the username and a
JIRA cloud token
for the password must be configured using basic authentication for JIRA Cloud.
For on-premise JIRA instances, you can use a username and password with basic authentication, or you can use a personal access token (PAT) with token authentication.
If you omit providing projects then all projects that the credential can list and access will be scanned.
JIRA with basic authentication #
sources:
- connection:
'@type': type.googleapis.com/sources.JIRA
basicAuth:
password: XXXXXXXXXXXXXXXXXXXXXXXXXX
username: scanner-account@ourbusiness.com
endpoint: https://ourbusiness.atlassian.net
projects:
- ENG
- ITSYS
name: some JIRA data
scanInterval: 43200s
type: SOURCE_TYPE_JIRA
verify: true
JIRA with personal access token (PAT) #
sources:
- connection:
'@type': type.googleapis.com/sources.JIRA
endpoint: https://ourbusiness.atlassian.net
projects:
- ENG
- ITSYS
token: XXXXXXXXXXXXXXXXXXXXXXXXXX
name: some JIRA data
scanInterval: 43200s
type: SOURCE_TYPE_JIRA
verify: true
Microsoft Teams #
When configuring the Teams scanner from the UI the Team ID is referencing your Microsoft Teams ID number. This can be found by going into your Teams app in the lefthand pane, click the … button next to the team (not one of the channels, but the team) and click “Get link to team”.
The Team ID will come right after groupId in the link provided. (ex. xxxgroupId=
The Teams integration requires the web UI in order to successfully scan sources. (Local config will be made available in the near future with the use of Client Credentials or Oauth2.)
Slack #
sources:
- connection:
'@type': type.googleapis.com/sources.Slack
channels:
- General
- Random
endpoint: https://mybusiness.slack.com
ignoreList:
- General
token: XXXXXXXXXXXXXXXXXXXXXXXXXX
name: some Slack workspace
scanInterval: 43200s
type: SOURCE_TYPE_SLACK
verify: true
Single Workspace App #
If you are able, we recommend using the Slack install from the UI because not only is it much easier, but it also scans faster because it has higher rate limits.
You may create your own single workspace Slack app to utilize with TruffleHog and provide the refresh token in the token field in the example above. Below are the steps to create the app.
Start creating the app here
Give the app a name a choose the workspace you want to Trufflehog to operate on. (You will need seperate apps to utilize a multiple workspaces)
- Update the “User Token Scopes” section with the following scopes:
- users:read
- users:read.email
- channels:history
- channels:read
- groups:history
- groups:read
- files:read
- Make sure everything is saved and looks correct, then install your app!
- If your user does not permissions to install the app it may send a request to your Slack admin asking for them to approve it. If so, it may be a good idea to give them a heads up before you do this :)
- Copy your newly minted token and paste it into the token field from the local configuration file above (TIP: Remove the channels line and values if you want trufflehog to scan all accessible channels.)
- Once you run your local scan, Trufflehog will pick up and scan the configured slack source!
S3 #
If you omit providing buckets then all buckets that the credential can list and access will be scanned.
S3 with AWS IAM credentials (recommended) #
Example IAM policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetObject"
],
"Resource":"*"
}
]
}
Configuration:
sources:
- connection:
'@type': type.googleapis.com/sources.S3
cloudEnvironment: {}
name: some S3 data
scanInterval: 43200s
type: SOURCE_TYPE_S3
verify: true
S3 with static credentials #
sources:
- connection:
'@type': type.googleapis.com/sources.S3
accessKey:
key: AKIAKEYID
secret: XXXXXXXXXXXXXXXXXXXXXXXXXX
buckets:
- bucket-one
- bucket-two
name: some S3 data
scanInterval: 43200s
type: SOURCE_TYPE_S3
verify: true